Step 1: Set up SBL
Some of the following instructions are taken from different documents mentioned in Download the SBL Source Code and the Slim Bootloader Document and assembled here to provide a better user experience.
In this step, you will configure Intel® TCC Tools during the SBL setup on your host system. You will need to enable the following options in SBL:
Intel® Time Coordinated Computing Mode (Intel® TCC Mode)
The Intel® TCC Mode option configures many individual settings in a single location. These settings are considered the out-of-box configuration for real-time applications and the starting point for exploring Intel® TCC Tools.
Software SRAM
The Software SRAM option enables or disables software static random-access memory (software SRAM). Software SRAM enables you to allocate low-latency memory buffers for your real-time applications. Software SRAM is a software construct that uses hardware capabilities to allocate a portion of the physical address space into the cache so the addresses are less likely to be evicted by the same or other processes. For details about the Software SRAM option, see the Developer Guide.
Data Streams Optimizer
The data streams optimizer option enables or disables the data streams optimizer tool. The tool enables you to improve data movement between processor subsystems, for example, when data packets need to be transferred between an Ethernet card connected to a PCIe* port and system memory. The tool tunes the various control points between these entities by instructing the SBL to write values to registers. For details about the data streams optimizer option, see the Data Streams Optimizer Setting.
TCC Error Log
The Intel® TCC error log feature allows you to view errors encountered during the BIOS boot process.
Based on your use case, you may decide later to use a different SBL configuration.
Supported Hardware
See these supported hardware for supported processors.
Intel® TCC Tools currently supports the following processors:
Intel® Xeon® W-11000E Series Processors (code name: Tiger Lake H Processors)
12th Generation Intel® Core™ Processors (code name: Alder Lake -S Processors)
11th Generation Intel® Core™ Processors (code name: Tiger Lake UP3 Processors)
Intel Atom® x6000E Series Processors (code name: Elkhart Lake Processors)
SBL Prerequisites
You will need the DediProg* device, DediProg software (engineering version), and a Windows* Host.
Download the SBL Source Code
Download the SBL source code by referring to the SBL Firmware Release Notes for your platform:
SBL Firmware Release Notes Supported Hardware
SBL Firmware Release Notes Document Number
Intel® Xeon® W-11000E Series Processors (Code Name: Tiger Lake H Processors)
12th Generation Intel® Core™ Processors (Code Name: Alder Lake Processors)
11th Generation Intel® Core™ Processors (Code Name: Tiger Lake UP3 Processors)
Intel Atom® x6000E Series Processors (Code Name: Elkhart Lake Processors)
Extract the compressed file. You will see three files: Readme_Extract.txt, ReleaseNotes.txt, and the *.se file.
Create a <work_directory> in the Linux* machine: mkdir sbl-test
Copy the *.se file into your <work_directory>.
Make the *.se file executable by running the following command: chmod +x <filename>.se
Extract the *.se file by running the following command: ./<filename>.se
Page through the license using the space bar. At the end, enter ‘y’ and press ENTER to accept the license.
Extract the contents of the *.se file into a directory with the same name as the *.se file (without the .se extension).
Extract the SblPlatform.zip file.
The following table lists the contents in the extracted *.se file:
File List DOCUMENTATION
Description
SblPlatform.zip
SBL source code
UefiPldPlatform.zip (not required if using SBL)
UEFI payload source code
CfgData
SBL configuration data
Documents/TGL_UP3_IoT_Features.pdf
Documentation on how to enable Intel® TCC, TSN, IBECC, FuSa
Documents/TGL_UP3_FirmwareUpdate.pdf
Documentation on how to update firmware
Documents/SBL_TGL_Security_addendum.pdf
Tiger Lake UP3 Processors security feature
Documentation/license.txt
License
Licenses/License Notices.pdf
License notices
Licenses/Slim Bootloader_C2A_Commercial Use License -limited use binary Final Clean 3.7.19.pdf
Commercial Use License
Enable Intel® TCC in SBL
To enable the Intel® TCC subregion setting in SBL, go to the following directory:
<work_directory>/SblPlatform/SblOpen/Platform/<PlatformBoardPkg>/
For example, for Intel® Xeon® W-11000E Series Processors (codename: Tiger Lake H Processors) or 11th Generation Intel® Core™ Processors (codename: Tiger Lake UP3 Processors), go to the following directory:
<work_directory>/sbl-tgl-up3-mr5-rel/SblPlatform/SblOpen/Platform/<PlatformBoardPkg>/
NOTE:Replace <PlatformBoardPkg> with:“TigerlakehBoardPkg” for Intel® Xeon® W-11000E Series Processors
“AlderlakeBoardPkg” for 12th Generation Intel® Core™ Processors
“TigerlakeBoardPkg” for 11th Generation Intel® Core™ Processors
“ElkhartlakeBoardPkg” for Intel Atom® x6000E Series Processors
Open the “BoardConfig.py” configuration file and change “self.ENABLE_TCC=1” and “self.ENABLE_TSN = 1”.
Save the configuration file.
Download the Cache Reservation Library (CRL) Binary:
The Cache Reservation Library (CRL) binary, formerly known as the Platform Tuning Configuration Manager (PTCM) binary, is a module that implements the logic to create software SRAM buffers within the cache hierarchy on Intel® Xeon® W-11000E Series Processors, 12th Generation Intel® Core™ Processors, 11th Generation Intel® Core™ Processors and Intel Atom® x6000E Series Processors.
The Intel’s Integrated Firmware Image (IFWI) binary enables CRL by default, to create software SRAM regions within the physical address space accessible through Intel® TCC Tools. To enable Intel® TCC Tools, integrate the specific CRL version for your Intel® platform, into the UEFI BIOS or Slim Bootloader.
Go to the following directory:
<work_directory>/SblPlatform/SblOpen/Platform/<PlatformBoardPkg>/
NOTE:Replace <PlatformBoardPkg> with:“TigerlakehBoardPkg” for Intel® Xeon® W-11000E Series Processors
“AlderlakeBoardPkg” for 12th Generation Intel® Core™ Processors
“TigerlakeBoardPkg” for 11th Generation Intel® Core™ Processors
“ElkhartlakeBoardPkg” for Intel Atom® x6000E Series Processors
Create the “Binaries” folder in the path.
At the following table, find your Intel® platform, look for the latest release, then click the CRL version link to download the .zip file. Then, extract the .zip file.
CRL and Firmware Compatibility Intel® Platform
Release
Intel Firmware Image (IFWI) Kit Version
CRL Version
Intel® TCC Tools Version
Intel Atom® x6000E Series Processors
MR5
v4326_00
2022.2
Intel Atom® x6000E Series Processors
MR3
v4122_00
2022.1
Intel Atom® x6000E Series Processors
MR2
v3471.01
2021.3, 2022.1
11th Generation Intel® Core™ Processors
MR7
v5455_01
2022.2
11th Generation Intel® Core™ Processors
MR5
v5035_01
2022.1
11th Generation Intel® Core™ Processors
MR4
v4415_01
2021.3, 2022.1
Intel® Xeon® W-11000E Series Processors
MR5
v5285_01
2022.2
Intel® Xeon® W-11000E Series Processors
MR3
v5055_01
2022.1
Intel® Xeon® W-11000E Series Processors
MR2
v4425_01
2021.3, 2022.1
12th Generation Intel® Core™ Processors
MR3
v3381_00
2022.2
12th Generation Intel® Core™ Processors
MR1
v3125_00
2022.1
12th Generation Intel® Core™ Processors
PV
v2501_00
2022.1
Copy the CRL binary (crl.bin) into the “Binaries” folder.
Set up the Build Environment
NOTE:The Linux* host system (Ubuntu 20.04 LTS 64-bit) is also supported for code development and compilation, but with limited validation coverage.
Instructions in this section show how to install the following software, to set up the build environment on the Linux* host system:
GCC 7.3 or above
Python* release 3.6 or above
NASM 2.12.02 or above
iASL 20200326
OpenSSL* toolkit version 1.1.1 or above
Git* version control system
Install the required packages on the Ubuntu* OS using the following command: $ sudo apt-get install -y build-essential iasl python uuid-dev nasm openssl gcc-multilib qemu git
To check if iASL version 2020 or above version is installed successfully: #. iasl -v
To install iASLASL version 2020 or above, run the following commands in any folder:
wget https://acpica.org/sites/acpica/files/acpica-unix-20200326.tar.gz
tar xzf acpica-unix-20200326.tar.gz
cd acpica-unix-20200326
make
sudo make install
See iASL user guide for more details on iASL.
Get the OpenSSL toolkit path using the following command:
whereis -b openssl
Export the OpenSSL toolkit path using the following command:
export OPENSSL_PATH=<OpenSSL_Toolkit_Path>
E.g. export OPENSSL_PATH=/usr/local/bin/openssl
Generate Keys
Before building the Slim Bootloader, you need to generate a set of cryptographic keys. These keys have the .pem extension, and may be referred to as the PEM keys in other documents. Several Keys are required for SBL components signing and verification. The keys are required as the user will need to put them in a location with a specified name.
Go to the SblPlatform directory using the following command:
cd <work_directory>/SblPlatform
Create the SblKeys folder using the following command:
mkdir SblKeys
SBL also provides a tool (SblOpen/BootloaderCorePkg/Tools/GenerateKeys.py) to generate all the keys in the SBL source code. Generate the keys in the SblKeys folder using the following command:
python3 SblOpen/BootloaderCorePkg/Tools/GenerateKeys.py -k SblKeys
When using the SBL OsLoader payload, use the following to verify the OS image:
OS1_TestKey_Pub_RSA2048.pem or
OS1_TestKey_Pub_RSA3072.pem
Replace them with the respective public keys used when signing the OS Image.
For OS images with the Yocto Project* container images, refer to the Yocto Project* Best-Known Configuration (BKC) Release Notes. Get the private key used in signing the Yocto Project SBL container image during the Yocto Project image build. Refer to Step 2: Build Yocto Project*-Based Image. Then, extract the public keys and replace them with the following:
OS1_TestKey_Pub_RSA2048.pem or
OS1_TestKey_Pub_RSA3072.pem
NOTE:The key generation process is a one-time process. Use the same set of keys for signing and verification operations when generating the firmware capsule update image, configuration data, container image, and others. Verification operations will fail (security violations) if different keys are used. Also use the same keys in the sbl_os and sbl_rtcm for the Yocto Project* build image, and for the data streams optimizer tool and the Cache Configurator tool.For more information, refer to the key generation procedure in the Keys Generation section of the Slim Bootloader Project Documentation.
Configure the SBL (Optional)
Refer to the Slim Bootloader Configuration for more information on configuring the board or platform specific settings (for example, GPIO, features, memory, and boot options) using the SBL configuration data feature.
Build the SBL
Change the permissions file on the wrappers with these commands:
cd SblPlatform/SblOpen/BaseTools/BinWrappers/PosixLike/
chmod +x *
Go to your platform board package directory to open the .dlt file (the file depends on whether you are using LPDDR4 or DDR4), example given as follows:
vi SblPlatform/SblOpen/Platform/<platform_board_package>/CfgData/CfgData_Int_Tglu_Ddr4.dlt
Comment out the payload setting as follows to use the OsLoader payload:
#GEN_CFG_DATA.PayloadId | 'AUTO'
Build the SBL with OsLoader Payload:
python3 SblPlatform/SblOpen/BuildLoader.py build tgl -r
NOTE:- -r is for release build. Default is the debug build.
If you get an error, clean using the following command: python3 BuildLoader.py clean.
After the SBL is generated, you can see “Done [platform_codename]!”. The output is located in the Outputs/<platform_codename> folder.
The SBL supports two different payloads: - OsLoader which is the built-in payload built when building the SBL. - UEFI Payload which needs to be built separately. To build a UEFI payload into the Slim Bootloader, you need to copy UEFIPAYLOAD.FD to SblOpen/Platform/<PlatformBoardPkg>/Binaries/UefiPld.fd before building the SBL.
NOTE:Replace <PlatformBoardPkg> with:“TigerlakehBoardPkg” for Intel® Xeon® W-11000E Series Processors
“AlderlakeBoardPkg” for 12th Generation Intel® Core™ Processors
“TigerlakeBoardPkg” for 11th Generation Intel® Core™ Processors
“ElkhartlakeBoardPkg” for Intel Atom® x6000E Series Processors
The SBL can be built with the OsLoader and UEFI payload in a single SBL image. If both are built in, you can use J9J5 header on the 11th Generation Intel® Core™ Processors RVP, for example, to select the payload to boot with. - When pin 3-4 are connected, select the UEFI payload. - Otherwise, select the OsLoader payload to boot.
If you always want to boot to the UEFI payload without using the GPIO pin selection, you can update the config file to specify which payload to boot as follows before the build. As an example, for the 11th Generation Intel® Core™ Processors:
In SblOpen/Platform/TigerlakeBoardPkg/CfgData/CfgData_Int_Tglu_Ddr*.dlt,
change: GEN_CFG_DATA.PayloadId | 'AUTO' to GEN_CFG_DATA.PayloadId | 'UEFI'
To build the SBL with OsLoader and UEFI payload (if you are using the UEFI binaries):
python3 SblBuild.py build tgl -p "OsLoader.efi:LLDR:Lz4;UefiPld.fd:UEFI:Lzma"
The Slimbootloader.bin image will be generated in the Outputs/<platform_name> folder.
NOTE:This binary needs to be stitched before writing to flash.
Stitch the SBL
Go to your work directory using the following command:
cd <work_directory>
Create the Components folder at your work directory using the following command:
mkdir Components
Go to the Components folder using the following command:
cd Components
Download each “Package” in the table and store all packages in the Components folder.
Extract the packages using unzip <filename_and_extension>, for example:
unzip 'IntelCSME_TGL-U_15.0.35.1951 V6.1_Consumer.zip'
Go back to your work directory using the following command:
cd ..
Create the Stitching folder at your work directory using the following command:
mkdir Stitching
Go to the Stitching folder:
cd Stitching
Create each folder listed in the “Destination File” column using mkdir <destination_folder>, for example:
mkdir Fit
Copy all files listed under the “Source File” column to the “Destination File” locations, using cp -r <source_file_path> <destination_file_path>. If you see *.*, you will need to copy all files. For example,
cp -r ~/<work_directory>/Components/IntelCSME_TGL-U_15.0.35.1951\ V6.1_Consumer/Tools/System_Tools/FIT/Linux64/* Fit/
If a different name is given as the “Destination File”, rename the file according to the name given in “Destination File” (e.g. rename “ME_FW_Consumer_15.0.35.1951_prod.bin” to “MeRegionFile.bin”):
NOTE:Contact an Intel representative for the latest Best Known Configuration (BKC) information to obtain the needed stitching components if any of the following links are not available.
Downloading Ingredients
To generate the IFWI for booting, the Slim Bootloader needs to stitch with other ingredients. To facilitate the Slim Bootloader stitching process, some stitch scripts are provided with this release kit to create an IFWI.
Download the latest stitching ingredients by referring to the SBL Firmware Release Notes for your platform:
SBL Firmware Release Notes Supported Hardware
SBL Firmware Release Notes Document Number
Intel® Xeon® W-11000E Series Processors (Code Name: Tiger Lake H Processors)
12th Generation Intel® Core™ Processors (Code Name: Alder Lake Processors)
11th Generation Intel® Core™ Processors (Code Name: Tiger Lake UP3 Processors)
Intel Atom® x6000E Series Processors (Code Name: Elkhart Lake Processors)
Generate the BpmGen2 Params
Follow these steps to generate the bpmgen2.params file manually using the BpmGen2GUI tool:
NOTE:Skip the following steps if the bpmgen2.params file has been generated.
In Windows* OS, run the BpmGen2GUI tool.
NOTE:- Anti-malware software may prevent this tool from running. For example, if the Microsoft Defender SmartScreen* software blocks the BpmGen2UI tool, click “More Info” to run the tool.
bpmgen2.params is a default file. As part of the stitching process, the required parameters would be overwritten with get_bpmgen2_params_change_list defined in StitchIfwiConfig*py. This is as per the SBL configuration.
Select a working directory (BpmGen2/).
Click [Create Boot Policy Manifest (BPM) Def].
NOTE:Do not click the highlighted option, [Create Key Manifest (KM)].Navigate to the BPM Screen 3, as shown in the following figure:
Click [Save BPM Definition File].
Save as bpmgen2.params without changing any default configuration.
Copy bpmgen2.params to the BpmGen2 folder in the Linux* OS.
Stitching Steps
Ensure all the stitch components are ready in the <work_directory>/Stitching folder, and the SBL binary in the Outputs/<platform_name> folder. If you need to build the SBL, refer to the Build the SBL section.
Run the following command in the command line console to see the help message about the stitch script: python3 SblOpen/Platform/<PlatformBoardPkg>/Script/StitchIfwi.py -h
usage: StitchIfwi.py [-h] [-p PLATFORM] [-w WORK_DIR] -c CONFIG_FILE [-s SBL_FILE] [-b {legacy,vm,fve,fvme}] [-d PLAT_DATA] [-r] [-t {ptt,dtpm,none}] [-o OPTION] [-op OUTPATH]
NOTE:
Replace <PlatformBoardPkg> with:
“TigerlakehBoardPkg” for Intel® Xeon® W-11000E Series Processors
“AlderlakeBoardPkg” for 12th Generation Intel® Core™ Processors
“TigerlakeBoardPkg” for 11th Generation Intel® Core™ Processors
“ElkhartlakeBoardPkg” for Intel Atom® x6000E Series Processors
NOTE:
If you received an error about missing libxcb-xinerama.so.0, run the following command to install: sudo apt-get install libxcb-xinerama.so.0
Argument |
Description |
|---|---|
-h, –help |
show this help message and exit |
-p PLATFORM |
specify platform SKU to stitch |
-w WORK_DIR |
specify stitch workspace directory, Intel® Converged Security and Management Engine (Intel® CSME) tools and ingredients should be here |
-c CONFIG_FILE |
specify the platform specific stitch config file |
-s SBL_FILE |
specify slim bootloader file or generate zip file |
-b {legacy,vm,fve,fvme} |
specify Boot Guard profile type |
-d PLAT_DATA |
Specify a platform specific data (HEX, DWORD) for customization |
-r |
delete temporary files after stitch |
-t {ptt,dtpm,none} |
specify TPM type |
-o OPTION |
Platform-specific stitch option. Format: ‘-o option1; option2; …’ For each option, the format is ‘parameter:data’. Try -o help for more information. |
-op OUTPATH |
Specify path to write output IFWI and signed bin files. |
For -o parameter, type -o to obtain the following details:
‘sata’ – Enable SATA direct port, by default disabled.
‘tsn7’ – Enable TSN Port 7, by default TSN port is disabled.
‘lp4’ – Stitch for DDRLP4 board, by default for DDR4 board.
‘32MB’ – Stitch image set to 32MB, by default use 16MB.
‘spi’ – Set SPI frequency to be 25MHz, 33MHz, 50MHz, 100MHz.
As an example, the following steps show how to stitch an IFWI image with the verified boot and measured boot enabled for the 11th Generation Intel® Core™ Processors platform, Bx silicon:
Run the following command:
python3 SblOpen/Platform/TigerlakeBoardPkg/Script/StitchIfwi.py -b legacy -s SblOpen/Outputs/tgl/Stitch_Components.zip -c SblOpen/Platform/TigerlakeBoardPkg/Script/StitchIfwiConfig_tglu.py -w <work_directory>/Stitching/ -p tglu_b0
If stitching is successful, the following message is displayed. sbl_ifwi_tglu_b0.bin file is generated in the current folder:
IFWI Stitching completed successfully! Boot Guard Profile: LEGACYIFWI image: sbl_ifwi_tglu_b0.bin
NOTE:- The stitch command only helps you to generate an IFWI quickly with the default settings. You can also change soft straps as needed by using the Intel® Flash Image Tool (Intel® FIT) tool based on the generated IFWI image. Refer to TGL-LP Consumer Bring Up Guide.pdf in the Intel® CSME package described in the Downloading Ingredients section.
If you received a “permission denied” error while trying to build the SBL, use the following command to edit the permission so that everyone can access the folder: chmod +x <folder_name/binary_name>
Flash the SBL onto the board.
NOTE:This activity is applicable on Intel’s Reference Validation Platform (RVP) or Customer Reference Board (CRB). If you are using the Original Equipment Manufacturer (OEM) or Original Device Manufacturer (ODM) board, work with your BIOS vendor or contact an Intel representative.
For more information on flashing the bootloader using a DediProg device, refer to the Intel Atom® x6000E Series, and Intel® Pentium® and Celeron® N and J Series Processors for IoT Applications (Elkhart Lake) - CRB User Guide.